Important: Please read the Qt Code of Conduct - https://forum.qt.io/topic/113070/qt-code-of-conduct
Security implications of running use script in QJSEngine
-
I am planning to use QJSEngine to let the user script custom data transforms in https://www.easydatatransform.com . I am just calling QJSEngine::evaluate() and QJSEngine::call() on some script written by the user. I'm not exposing any application objects. What are the security implications? Can they open a web page? Can they read/write files or the registry? Or is it all sandboxed? I had a Google, but I didn't find much.
-
@AndyBrice said in Security implications of running use script in QJSEngine:
I am planning to use QJSEngine to let the user script custom data transforms in https://www.easydatatransform.com . I am just calling QJSEngine::evaluate() and QJSEngine::call() on some script written by the user. I'm not exposing any application objects. What are the security implications? Can they open a web page? Can they read/write files or the registry? Or is it all sandboxed? I had a Google, but I didn't find much.
Start with https://doc.qt.io/qt-5/qtjavascript.html#implications-for-application-security The QJSEngine has the same privileges as the C++ code in your application.
- Does your app have the permissions to launch a web page? (through an external browser. QJSEngine does not have a built-in web engine)
- Does your app have permissions to read/write files or the registry?
-
@JKSH I did see that thanks. But I'm still not clear what they can actually do from Javascript. Is there no sandboxing?
-
@AndyBrice said in Security implications of running use script in QJSEngine:
I'm still not clear what they can actually do from Javascript. Is there no sandboxing?
There is no sandboxing.
As the article suggests, the JavaScript code is allowed to do anything that the C++ code can do.
-
@JKSH I tried a few things:
Opening a url:
window.open();Reading a file:
new XMLHttpRequest();Accessing the registry:
new ActiveXObject("WScript.Shell");None of these worked. So is there anything nasty I can do from inside QJSEngine? If so, what?
-
Just bumping this in the hope that someone can give me an answer.
-
@AndyBrice said in Security implications of running use script in QJSEngine:
None of these worked. So is there anything nasty I can do from inside QJSEngine? If so, what?
Oops, my apologies; I was thinking of QQmlEngine instead of QJSEngine. QQmlEngine does contain
XMLHttpRequest, although it doesn't containwindoworActiveXObject(orFileReaderet al.).If you're using QJSEngine without exposing any C++ objects to it, then I can't think of a script that does anything too terrible to your machine.
It is possible to starve your engine of memory though:
var giant = []; for (var i = 0; i < 1000000000; ++i) giant[i] = new ArrayBuffer(1000000000)I don't think garbage collection can reclaim that memory, as the giant remains in the global object.
If you don't get any definite answers here over the next few days, try subscribing to the Interest mailing list and asking there: https://lists.qt-project.org/listinfo/interest Qt engineers are active on that list; they should have deeper insights into QJSEngine.
-
@JKSH Thanks. I will reply here if I get any more insight.
